Detecting Exchange Online Shared Mailboxes That Need Licenses

Shared Mailbox License Only Needed Under Three Specific Conditions

Exchange Online shared mailboxes don’t need licenses unless they:

• Exceed 50 GB in mailbox size.
• Have an archive mailbox. This allows the Managed Folder Assistant to offload older items through an Exchange Online mailbox retention policy.
• Are on litigation hold. As Exchange Online won’t allow an administrator to put a shared mailbox on litigation hold, this implies that the mailbox originally belonged to a user before conversion to a shared mailbox. Organizations sometimes preserve the mailboxes of ex-employees by converting them into shared mailboxes. In many cases, making the mailboxes inactive is a better choice.

In these cases, Microsoft requires the shared mailbox to have an Exchange Online Plan 2 license, which you can assign in the Microsoft 365 admin center or with PowerShell. If you don’t have an Exchange Online Plan 2 license, you can also use a license like Office 365 E3 that contains the Exchange Online Plan 2 service plan. In effect, you assign the license to the Azure AD account that Exchange Online creates automatically for the shared mailbox. Azure AD doesn’t disable the account and it works like other Azure AD accounts, but you should never sign into it.

For instance, to assign an Office 365 E3 license to a shared mailbox, you could run these commands:

$M = Get-ExoMailbox -RecipientTypeDetails SharedMailbox -Identity 'Customer Services'
Set-MgUserLicense -UserId $M.ExternalDirectoryObjectId -Addlicenses @{SkuId = '6fd2c87f-b296-42f0-b197-1e91e994b900'} -RemoveLicenses @()

See this page for details of the identifiers for Microsoft 365 licenses and this article for more information about how to manage licenses for Azure AD accounts with PowerShell.

Finding Shared Mailboxes that Need Licenses

Microsoft doesn’t actively block shared mailboxes that breach the licensing conditions. However, it’s a good idea to make sure that all the shared mailboxes in a tenant have licenses when required. The shared mailboxes section in the Microsoft 365 admin center gives no hint of when mailboxes need licenses, but some processing with PowerShell should do the trick.

The steps seem easy enough:

• Find all shared mailboxes.
• Check each mailbox to see if it has an archive, exceeds 50 GB, or is on litigation hold.
• Check the mailbox’s account to see if it has an Exchange Online Plan 2 license.
• Report what we find.

The full script is available from GitHub. The main loop for each mailbox is below.

Write-Host ("Processing mailbox {0} ({1} of {2})" -f $M.DisplayName, $i, $Mbx.count)
   $NeedsLicense = $False; $ArchiveStatus = $Null; $ExoArchiveLicense = $False; $ExoPlan2License = $False; $LicenseStatus = "OK"; $ArchiveStats = $Null
   $MailboxOverSize = $False; $ExoPlan1License = $False; $ArchiveMbxSize = $Null
   
   $MbxStats = Get-ExoMailboxStatistics -Identity $M.ExternalDirectoryObjectId
   $MbxSize = [math]::Round(($MbxStats.TotalItemSize.Value.toBytes() / 1GB),5)
   If ($M.ArchiveStatus -ne "None") { #Mailbox has an archive
      $ArchiveStats = Get-ExoMailboxStatistics -Archive -Identity $M.ExternalDirectoryObjectId 
      If ($ArchiveStats) {       
          $ArchiveMbxSize = [math]::Round(($ArchiveStats.TotalItemSize.Value.toBytes() / 1GB),5)}
   }
   $Licenses = Get-MgUserLicenseDetail -UserId $M.ExternalDirectoryObjectId | Select-Object -ExpandProperty ServicePlans | Where-Object {$_.ProvisioningStatus -eq "Success"} | Sort ServicePlanId -Unique
   If ($Licenses) { # The mailbox has some licenses
     If ($ExoArchiveAddOn -in $Licenses.ServicePlanId) { $ExoArchiveLicense = $True }
     If ($ExoPlan2 -in $Licenses.ServicePlanId) { $ExoPlan2License = $True }
     If ($ExoPlan1 -in $Licenses.ServicePlanId) { $ExpPlan1License = $True }
  }

  # Mailbox has an archive and it doesn't have an Exchange Online Plan 2 license, unless it has Exchange Online Plan 1 and the
  # archive add-on
  If ($M.ArchiveStatus -eq "Active") {
    If ($ExoPlan2License -eq $False) { $NeedsLicense = $True }
    If ($ExoPlan1License -eq $True -and $ExoArchiveLicense -eq $True) { $NeedsLicense = $False }
  }
  # Mailbox is on litigation hold and it doesn't have an Exchange Online Plan 2 license
  If ($M.LitigationHoldEnabled -eq $True -and $ExoPlan2License -eq $False)  { $NeedsLicense = $True }
  # Mailbox is over the 50GB limit for unlicensed shared mailboxes
  If ($MbxStats.TotalItemSize.value -gt $MailboxLimit) { # Exceeds mailbox size for unlicensed shared mailboxes
      $MailboxOverSize = $True
      $NeedsLicense = $True}

Analyzing the Outcome

The code is rough and ready but serves its purpose (which is always a good state for a PowerShell script to be in). At the end of the processing, the script generates some basic statistics, including highlighting any shared mailboxes it thinks need licenses together with the reason why (Figure 1).

Figure 2 shows the kind of information the script gathers for the shared mailboxes. In this case, I had assigned a license to one of the two mailboxes highlighted in Figure 1, so only one mailbox shows up as still needing a license.

Shared Mailboxes Don’t Need Much Attention

Usually, shared mailboxes don’t need much attention. They function like they’ve always functioned because Microsoft hasn’t changed their functionality much over the past few years. However, some shared mailboxes might need licenses. It’s best to find and rectify the issue before you run into problems. Unlicensed shared mailboxes that exceed their 50 GB allocation can’t send any new emails until they receive a license and will eventually stop receiving inbound messages. That’s a sad situation to be in!

---

Keep up with the changing world of the Microsoft 365 ecosystem by subscribing to the Office 365 for IT Pros eBook. Monthly updates mean that our subscribers learn about new developments as they happen.